Open Issues Need Help
View All on GitHubAI Summary: The system currently lacks the ability to deactivate or activate user accounts, preventing proper user access control and posing a significant security risk. This missing functionality blocks a critical test case (AUTH_LOGIN_03) designed to verify that inactive users cannot log in. Implementing this feature requires adding UI options, backend APIs, and updating the authentication flow to manage user status effectively.
AI Summary: The GitHub issue describes a security vulnerability where the login page provides different error messages for unknown usernames ("Username not found") versus existing usernames with incorrect passwords ("Invalid credentials"). This allows for username enumeration, enabling attackers to confirm valid user accounts, which is a precursor to brute-force attacks and phishing. The proposed fix involves returning a single, generic error message for both scenarios.